Office of the Inspector General

1. Office of the Inspector General March 9, 2016

2. INTRODUCTION • Standards applicable to this presentation • Some of the Key Concepts related to Risks and Controls • Taxonomy of Risks: - Risk Categories - Sub-Areas of the Risk Categories • Risk Assessment Process • Results of Risk Assessment Process • Proposed Work Plans for 2016-2017 • Update on Pending Investigations

3. Article 118 of the General Standards & IPPF Performance Standards 2120-A1 According to Article 118 of the General Standards to Govern the Operations of the General Secretariat, “the Inspector General shall present to the Permanent Council, before the end of each year, a plan of activities for investigation and audit of the programs, services, and activities of the General Secretariat for the next two years and shall update it annually. The Permanent Council may request the inclusion of specific investigations or audits, once it reviews the plan”. Performance Standard 2120-A1 (Risk Management) of the International Professional Practice Framework (IPPF) for Internal Auditing, sates as follows: “the internal audit activity must evaluate risk exposures relating the organization’s governance, operations, and information systems regarding: • Reliability and integrity of financial and operational information; • Effectiveness and efficiency of operations and programs; • Safeguard of assets, and • Compliance with laws, regulations, policies, procedures, and contracts.”

4. Risks and Controls – Key Concepts • Risk • Inherent Risk • Controls • Residual Risk • Risks and Controls Assessments • Taxonomy of Risks (next slide)

5. Risk Taxonomy The risks that may impact the GS/OAS’ vision, mission and objectives may be classified into four categories of risks

6. Risk Assessment Process • Purpose • Actions taken by the OIG a. Memo# SG/OIG/RIS/15-01 sent to GS/OAS management announcing the initial phase of the Risk Assessment process b. Information provided: - Details on the purpose and objective of the risk assessment - Components of the organization’s risk universe - Tables where participants can list the ten most critical processes/risks related to their areas and rank them based on their importance (probability and impact) to the achievement of the area’s objectives. Also, a heat map was provided to give the areas the option to chart the risks (next page) A heat map is a two-dimensional representation of data in which values are represented by colors. The heat map provides an immediate visual summary of information.

7. Summary Results of Risk Assessment – Top 20 Risk Areas Strategic and Development Mission, Values, and Priorities not relevant to the Region. Inputs or assumptions used for strategic decisions are incorrect. Country development outcomes not relevant or not supported by stakeholders. Failure to update the policies in a timely manner to reflect evolution of the strategy or lessons learned. Disconnect between institutional priorities and allocation of resources. Inability to attract, acquire and retain the necessary human talent. Budget- process timing inconsistent leading to poor planning. Operational Non-compliance with the code of ethics. The OAS does not have the infrastructure of information technology (e.g. hardware, networks, software, people and processes) that is needed to perform their tasks effectively. The current and future information requirements of the business are not reviewed periodically so they are efficient, profitable and well controlled. Lack of participation of specialists from the finance and procurement at the time of the review of the projects Operational Data information is outdated, inaccurate, or relevant data is unavailable. Obsolete recovery plan. Mismatch between the GS/OAS's needs and human resources skills and availability. Lack of clear definition of roles, responsibilities, accountability, and oversight. Budget resources are not adequate or properly allocated. Reporting Liquid assets are not available to meet the financial commitments of the GS/OAS, particularly for medium and long term commitments. Material or significant internal control deficiencies over financial reporting. Financing depends on unreliable income from Member States, resulting in financial and budgetary unpredictability and deficits. Compliance Lack of periodic reviews of insurance policies that ensure adequate coverage to protect the GS/OAS before new events and emerging risks: Cyber-attacks, interruptions of activities by catastrophe, etc. Recurring requests for exceptions to rules and regulations create internal conflicts and erodes credibility.

8. Heat Map 13 4 8 6 17 1 12 3 5 11 16 14 15 10 19 20 7 18 9 2 Suggestion Important Critical

9. Proposed Work Plans for 2016-2017The proposed 2016 and 2017 work plans are based on the risk assessment and requests from the Office of the Secretary General and the Permanent Council as well as information obtained by the OIG: Proposed Work Plan for 2016

10. Proposed Work Plan for 2017 (SG): Request from the Secretary General. (RA): OIG Risk Assessment. (PC): Request from the Permanent Council

11. OIG INVESTIGATIONS As of December 31, 2015, the OIG has 8 pending investigations, of which 2 will be closed following full investigation and 3 at the Preliminary Review phase. 3 investigations will be carried over OIG has a number of on-going investigations that are in preliminary review stages. The OIG will provide additional updates on those pending investigations in its 2015 Annual Report. The OIG is currently without an investigator. The investigator resigned on January 29 after a 5-month leave of absence and multiple other leaves without pay THANK YOU

12. Questions?